Secure transmission system for a digital trunked radio system

ABSTRACT

A security system for a digital trunked radio system having a digital control channel and a plurality of working channels, wherein said working channels are assigned for temporary use of individual radio units by digital control signals transmitted over said control channel, said control channel carrying digital control signals between a base site and said radio units, comprising a digital key, said key used to limit access to the system equipment and system control channel transmissions.

FIELD OF THE INVENTION

[0001] The present invention relates, in general, to digital trunkedradio systems, and more specifically to a security system for a digitaltrunked radio system.

BACKGROUND OF THE INVENTION

[0002] Trunked digital radio communication systems are commonly used bypublic service organizations, such as police, fire, and ambulancesquads, and by many private organizations to communicate with eachother. Trunked digital radio systems provide an efficient means tocommunicate between single users and/or groups of users. They allow forone call to be made to many users simultaneously, such as a policedispatcher sending out a call to all officers at once. Any officerreceiving the call has the ability to respond to the dispatcher, as wellas to all other officers using the system. This makes these type ofcommunication systems well suited for public safety and municipalapplications.

[0003] Digital trunked radio systems comprise a plurality of radios thatcommunicate with each other via a base station. An illustration of oneexample of a digital trunked radio system is shown in FIG. 1. FIG. 1illustrates a system with one base station; however, a system cancontain several base stations networked together over a wide geographicarea, with each station known as a site. On large systems, each radiocommunicates with a site within its range of transmission, and switchesbetween sites when the radio travels throughout the geographic areacovered by the system.

[0004] Digital trunked radio systems operate by allowing a user totransfer a voice call (or data call) to another user or group of userson the system. The information is transferred on one of a plurality ofchannels, referred to as working channels. A control channel assigns aworking channel to every transmission, and notifies both thetransmitting radio and all receiving radios of the working channelassignment. When the transmission is completed, the assigned workingchannel is released, and thus becomes available for a new transmission.

[0005] Because each transmission within a single conversation couldtheoretically be sent on a different working channel, it was difficultfor individuals outside of the system to “eavesdrop” on the users of thesystem using commercially available scanners. Preventing eavesdroppingis an area of concern for many municipalities using digital trunkedradio systems, as it is obviously critical that crucial communicationsbetween personnel (e.g., police officers) are not intercepted byindividuals who are not authorized to receive them. Clearly, policeofficers do not wish for transmission regarding their location to beintercepted by the very individuals they might be pursuing.

[0006] As scanner technology has advanced, sophisticated scanners weredeveloped that could keep up with the channel switching that occurs ondigital trunked radio systems. These sophisticated scanners are able tounderstand the control channel communications and, as a result, canfollow conversations as the transmissions switch from one workingchannel to another.

[0007] Existing systems have used various techniques to defeat thenewer, sophisticated scanners, with varying levels of success. TheEnhanced Digital Access Communications System (EDACS), produced and soldby M/A-COM Private Radio Systems, Inc. (Lynchburg, Va.), employs atone-drop technique to make the calls more difficult to follow. Thistechnique transmits a tone following a transmission on a workingchannel. The scanner remains locked on the tone, while the radio itselfrecognizes the tone and releases the working channel. However, whilethis technique worked for less sophisticated scanners, highlysophisticated scanners could also recognize the tone sequence and dropthe working channel.

[0008] Another alternative is to use encryption devices to encode anddecode each transmission (voice or data) such that the users of scannerswould not be able to understand the communication, even if the scannercould follow the channel switching. This also has some drawbacks. First,encryption requires the use of fairly complex encryption algorithms toencode the transmissions, which then need to be decoded upon receipt.This requires additional hardware to be added at the base station and oneach radio, or alternatively, requires the use of encoding and decodingencryption software. This is an expensive solution. In addition, eachmessage must be encoded and decode, which further causes a strain on thesystem time constraints.

[0009] Another concern has developed over the years that digital trunkedradio systems have been in operation. Radios that formerly were part ofdigital trunked radio systems and have been lost or stolen over theyears have been appearing for sale at places such as Ebay(www.ebay.com). Radio hackers purchase these radios and program them tointercept transmissions on systems being used today. In addition,information regarding the system to which these “pirate” radios belongedcan be read from the radios, such as the RF frequencies on which thesystem operates. This type of information makes it easier forunauthorized access to the communications, and thus adds anothersecurity concern in addition to the advancement of scanner technology.

[0010] Furthermore, as systems such as EDACS expand to include moresites and a wider geographic area, more personnel are required tomaintain and administer the system. Unauthorized access to site data byindividuals other than the proper administrators is another means bywhich system information can be obtained by unauthorized parties.

[0011] It is desired to prevent unauthorized individuals from accessingthe radio system, either by intercepting transmissions or by obtainingthe system information directly from a radio or from site equipment.What is desired is a simple, cost-effective security system thatprovides the required level of security in all facets of the system,including over the air transmissions and radio or system site access.

SUMMARY OF THE INVENTION

[0012] The present invention provides a complete security system for adigital trunked radio system. In accordance with the present invention,a digital system security key (SSK) is provided to both site basestations and individual radios. The key provides security to the systemby performing two functions.

[0013] First, the SSK is used to perform a simple encryption of thecontrol channel transmissions. By encrypting the control channel, theneed to use encryption techniques on each working channel transmissionis eliminated. Scanners and unauthorized radios are unable to understandthe working channel assignments sent on the control channel, and thusare unable to track the un-encrypted transmissions as they switchthrough a plurality of different working channels.

[0014] The control channel transmissions are secured by using a maskcreated from the SSK. The SSK is a 16 bit binary word known to the basestation and all of the radios on the system. A digital mask is createdby combining the SSK with a fixed bit pattern. The control channeltransmission is combined with the mask on transmission by using a simpleexclusive-or process (XOR) to form a simplistic encoded transmission.The receiving radios perform the same process with the same mask todecode the transmission.

[0015] In a preferred embodiment, only the outbound transmissions (thosesent from the base station to the radios) are encrypted using the maskformed from the SSK. Inbound transmissions (those originating from theradios and being sent to the base station) remain the same as thetransmissions used in the prior art. For applications that require ahigher level of security, an alternate embodiment can apply the mask toboth inbound and outbound transmissions.

[0016] In a preferred embodiment of the present invention, the SSK canbe programmed into each radio unit individually, or alternatively, theSSK can be manually programmed solely into the site base station andtransmitted over the air to the radios.

[0017] The second security function provided by the SSK is to provide ameans to prevent access to a system by unauthorized individuals, whileallowing authorized system administrators to gain entry to the system.In accordance with the present invention, the SSK is stored on a smartcard. An individual attempting to log onto the system would need toswipe the card using a card reader attached to the site base station orradio unit. The key on the smart card is checked to see if it matchesthe key loaded on the system equipment. If it does, the individual cangain access to the administrative functions. If it does not, access isdenied.

[0018] The SSK is encrypted before being placed on a smart card or onthe system units. This provides added security by making it less proneto interception by unauthorized radios in the event the key isdistributed via transmission over the air.

BRIEF DESCRIPTION OF THE DRAWINGS

[0019]FIG. 1 is an illustration of a digital trunked radio system, suchas EDACS, in accordance with the prior art.

[0020]FIG. 2 is an example of the format of a digital mask created usingan SSK in accordance with the present invention.

[0021]FIG. 3 is a logic diagram of the process performed on the controlchannel transmissions in accordance with the present invention.

[0022]FIG. 4 is a flow chart of the process by which the key providessecurity against unauthorized users obtaining data from a radioterminal.

[0023]FIG. 5 is a flow chart of the process by which the key providessecurity against unauthorized users accessing the system managementfunctions.

DETAILED DESCRIPTION OF THE INVENTION

[0024] The preferred embodiment of the present invention provides amethod to scramble or encrypt digital transmission on the controlchannel of a digital trunked radio system by using a system security key(SSK). For sake of example, the following description shall be set forthin connection with an EDACS radio system. However, it should beunderstood that the same technique can be applied to other digitaltrunked radio communication systems.

[0025] The EDACS system, like all digital trunked radio communicationsystems, uses a plurality of working channels for voice and datacommunication, and a control channel for system management purposes(e.g., working channel assignment, radio identifier information, groupidentifier information). The techniques of the present invention areapplied to transmissions solely on the control channel. Transmissions onthe control channel can be classified into two distinct types accordingto direction with respect to the origination point of the transmission.For the purposes of this discussion, control channel transmissions froma site on the system (e.g., base station, repeater site) to one or moreradios shall be referred to as “outbound” transmissions. Control channeltransmissions from an individual radio to a system site shall bereferred to as “inbound” transmissions. The embodiment described hereinapplies the techniques of the present invention only to outboundtransmissions on the control channel; however, alternate embodimentsinclude using the SSK to encrypt both the outbound and inboundtransmissions.

[0026] The SSK is a digital code word or key that is programmed intoboth the transmitting and receiving radio units. The SSK in thepreferred embodiment comprises a sixteen bit binary word. A sixteen bitSSK allows for 216 or 65536 distinct key possibilities. Alternateembodiments could use any number of bits ranging from 1 to 28 (thenumber of bits contained in an outbound message in the EDACS protocol).If fewer bits are used, the number of possibilities for the SSK isreduced; thus, the system is less secure. Additional bits add security,but there is a tradeoff in that the encoding becomes more complex as aresult of having to process more bits.

[0027] The sixteen bit SSK in the preferred embodiment is created byentering the desired key into a Key Entry Device (KED). The key entrydevice is a computer (e.g., PC, laptop, PDA) containing a serial outputport. In the preferred embodiment, the desired SSK is entered into theKED and downloaded to a smart card (a card with a magnetic carrier,e.g., credit cards) using well-known methods. The smart card can be usedto enter the SSK directly into each radio one at a time; however, it ismore feasible to use a smart card to enter the SSK into the siteequipment, and then to transmit the SSK over a working channel to theindividual radios.

[0028] To ensure secure transmission of the SSK to the radio units, theKED is equipped with an encryption algorithm. Prior to placing the SSKon the smart card, the SSK is encrypted. The resulting digital word isreferred to as the encrypted System Security Key (eSSK). Any type ofencryption algorithm can be used to develop the eSSK, and suchalgorithms are well known in the art. The SSK is then transferred ineSSK form to the site equipment directly using the smart card and to theradios using the smart card or by sending the eSSK over the air.

[0029] In the preferred embodiment, the resulting SSK is used to createa digital mask for scrambling outbound control channel transmissionsupon transmission (in the case of a site) or unscrambling outboundcontrol transmissions upon receipt (in the case of a radio on thesystem). FIG. 2 illustrates the process by which the messages arescrambled. Outbound messages on an EDACS system comprise a total offorty bits. The first twenty-eight bits are used to form theinformational part of the message 200. An exclusive-or (XOR) process 201is applied to the twenty-eight bits comprising the informational partusing a twenty-eight bit mask 202 created from the SSK.

[0030] The XOR function has a desired property in that a binary codethat is combined using the XOR process to a constant binary value twicewill always yield the original bit value. For example, a bit with thevalue of one can be processed with an XOR with a mask value of one,yielding a resulting scrambled value of zero. Upon receipt by a radio,the scrambled zero is then processed with an XOR function a second timeusing the same mask value of one. This second process will combine thescrambled value of zero with the mask value of one and result in a valueof one, which is the original bit value.

[0031] The mask 202 is created by combining the encrypted SSK, or eSSK,with a fixed bit pattern. The eSSK is sixteen bits in length. Thesesixteen bits are combined with a fixed bit pattern of twelve bits tocreate a twenty-eight bit XOR mask 202. An example of the mask 202 isillustrated in FIG. 3. The fixed portion of the mask resides in bitsfive and seventeen to twenty-seven. Bit five is held constant to keepthe key illustrated compatible with certain existing radios on someEDACS systems that require bit five to be zero; however, alternateembodiments could vary the location of the fixed portion. Alternateembodiments also include using greater or fewer bits for the variableportion, and a corresponding inverse adjustment to the fixed portion.The variable portion of the mask is contained in bits zero through fourand six through sixteen. It is the variable portion of the mask that ischanged when a new SSK is selected, or when the more secure dynamicsecurity technique is employed, as further discussed below.

[0032] Following the XOR process 201 between the 28 bit message 200 andthe mask 202, a BCH forward error correction code 203 is applied to thetwenty-eight bit encoded informational message to result in a messagelength of forty bits, as known in the art.

[0033] The resulting forty bit message is then triplicated using amessage triplicator 205 (implemented with either software or hardware)and transmitted. The transmission protocol of EDACS requires messages tobe sent in triplicate for reliability; however, this process is notmaterial to the present invention and thus is not further discussedherein. When this message is received by the radio, the forty bitmessage is decoded with a (28,12) BCH decoder. The scrambled bit messageis then subjected to the XOR function using the SSK to result in theoriginal digital message.

[0034] Two types of message scrambling can be obtained using the SSK.The first type is a static scrambling process. It is the simpler (andthus easier to implement) of the two types, and as such is the preferredembodiment for systems that do not require a higher level of security.The static method uses the same digital mask (created by combining theSSK with the fixed pattern) for all transmissions. The mask can alwaysbe changed by the administrator of the system if there is a concern thatsecurity may have been breached; however, unless a new SSK is chosen,the mask used to scramble the control channel transmissions remains thesame.

[0035] The second type of scrambling is dynamic scrambling. In thisembodiment, the mask is modified at set intervals, such as after eachtransmission. The encryption algorithm used to determine the initial SSKis applied to the current mask at each predetermined interval. Thisincreases the security level of the system, as the digital mask isconstantly changing, making it much more difficult for an unauthorizeduser to unscramble the control channel transmissions. However, this alsoincreased the complexity of the software required on the site equipmentand the radios, as synchronization of the mask needs to be maintainedbetween the transmitting equipment and the receiving equipment. Bothunits must necessarily change the mask at the same time, or the systemwill breakdown.

[0036] The second function of the SSK is to provide access control tothe radio system. In the prior art, an individual could determineinformation about the system (e.g., frequencies, group assignments) byreading system data from a radio. The SSK (in encrypted, or eSSK form)is used to limit access to the system information stored in a radioterminal to only authorized personnel. In order to access the systeminformation stored in a radio, the radio needs to be again connected tothe KED, which, in the preferred embodiment, is a card reader device. Asmart card (e.g., a card with a magnetic information strip contained onit, similar to a credit card) that contains an eSSK that matches theeSSK programmed into the radio is needed to access the system datastored on the radio.

[0037]FIG. 4 is a flow chart illustrating the steps for accessing systemdata contained on a radio. The individual radio units are programmedusing terminal programming software, which is located on a computerattached to the radio via a serial port, or alternatively is located onthe radio itself. Once this software is started (step 401), it performsa comparison of the eSSK presently loaded into the radio with the eSSKon the smart card. The software loads the eSSK from the smart cart (step403) and the eSSK from the radio (step 405). As some radios are capableof operating on several different EDACS systems (i.e., various sitelocations), a particular system is chosen (step 407). Next, a check isperformed to determine if the system selected has an eSSK currently onit (step 409). If it does not, the user may install the eSSK from thecard onto the system (step 411). This requires the user to select aneSSK from the card (step 413) to be entered into the radio. If it does,the eSSK in the system is checked against the eSSK on the smart card(step 415). If the two digital keys do not match, access to the systemdata is denied (step 417) If they match, the user is allowed access intothe system data (Step 419). The user can change the eSSK at this pointif desired (step 421) by selecting a new eSSK from the smart card (step425), or the user can edit any of the other system data (step 423). Forradios programmed to operate on more than one system, the user has theoption to repeat the entire process to edit a different system (step427). Once all of the system data is edited as desired, the edited datais programmed into the radio terminal (step 429).

[0038] The same type of security function is performed on the systemmanagement side using the smart card programmed with an eSSK. FIG. 5 isa flow chart illustrating the steps necessary to access system data atthe location of the system management terminal, usually found at a basestation or site location. Systems enabled with the SSK feature canoperate in SSK mode or standard mode. As discussed above, the ability toturn off the SSK feature allows non-SSK enabled systems to operate incooperation with SSK enabled systems when desired. The correct eSSK on asmart card is necessary for a user to log onto the management system anddisable the SSK mode. A user logs onto the management system (step 501),chooses the SSK administration function (step 503), and then is requiredto enter an eSSK using the smart card (step 505). If the key on the cardmatches the eSSK in the system (step 513), the user has access to enable(steps 515 and 519) or disable (step 517) the SSK mode. Thisenable/disable parameter is stored on the system (step 521). A choice isthen made whether this information should be sent to all RF sites on thesystem (step 523), and if desired, the updated information is sent out(step 525).

[0039] In the preferred embodiment, however, an emergency access featureexists. This feature allows a user who has a valid smart card that doesnot contain the matching eSSK to turn off the eSSK in an emergencysituation. This is done by loading a new eSSK on the system (step 507)by choosing an eSSK from the smart card (step 509) and loading the neweSSK into the application memory as the new system eSSK (step 511). Theuser can choose whether to enable the new key (step 519) or disable thenew key (step 517), with the selection being stored (step 521). Thepurpose of this feature is to allow an administrator to be able toaccess the system and edit the SSK mode in an emergency without a smartcard containing the matching key by installing a new key from anothervalid smart card. By installing the new key, the administrator canbypass the key matching process (step 513). However, to do so stillrequires a valid smart card, so security is not unreasonablycompromised, but at the same time provides a means for users with validsmart cards to bypass this layer of system security in the event that nomatching smart cards are available.

[0040] The use of the system security key provides an efficient,complete security system for a digital trunked radio system. Security isobtained against individuals attempting to eavesdrop on transmissionsusing scanners and pirate radios. The system also prevents system datafrom being read from radio units, or from the system site. All of thesefeatures are accomplished through the use of a simple and cost-effectivemethod of using a digital key. In light of the ever increasing securityconcerns present in the world today, the present invention provides asignificant improvement to the non-secure systems of the prior art.

[0041] It should be understood that the foregoing is illustrative andnot limiting and that obvious modifications may be made by those skilledin the art without departing from the spirit of the invention.Accordingly, the specification is intended to cover such alternatives,modifications, and equivalence as may be included within the spirit andscope of the invention as defined in the following claims.

What is claimed is:
 1. A method for secure communication within a digital trunked radio system having a digital control channel and a plurality of working channels, wherein said working channels are assigned for temporary use of individual radio units by digital control signals transmitted over said control channel, said control channel carrying digital control signals between a base site and said radio units, said method comprising the steps of: 1—selecting a digital key; 2—configuring both said base station and said radios with said key; 3—scrambling said digital control signals prior to transmission by performing an exclusive-or function between said digital control signals and said key 4—transmitting said scrambled signals over said control channel; and 5—unscrambling said scrambled signal upon receipt by performing a second exclusive—or function between said scrambled signal and said key.
 2. The method as set forth in claim 1, wherein step 2 comprises the steps of: 2.1—encrypting said digital key using an encryption algorithm, and 2.2—transmitting said key after encryption to said base site and said radio units.
 3. The method as set forth in claim 2, wherein step 2.2 comprises transmitting said key via radio transmission over the air.
 4. The method as set forth in claim 1, wherein step 3 is performed only with respect to outbound control channel transmissions from said base station to said radio units.
 5. The method as set forth in claim 1, wherein step 3 is performed only with respect to inbound control channel transmissions from said radios to said base station.
 6. The method as set forth in claim 1, wherein step 3 is performed with respect to both outbound and inbound transmissions.
 7. The method as set forth in claim 1, further comprising the step of: 6—changing said digital key at predetermined intervals.
 8. The method as set forth in claim 7, wherein step 6 comprises: 6.1—processing said digital key using said encryption algorithm to create a digital key distinct from said key originally selected.
 9. The method as set forth in claim 8, wherein said interval is once following each transmission of said digital control signal.
 10. The method as set forth in claim 1, wherein said key comprises 28 bits.
 11. The method as set forth in claim 1, wherein signals on said working channels are not scrambled.
 12. The method as set forth in claim 1, wherein step 1 comprises: 1.1—selecting a variable bit pattern from existing possible combinations from a predetermined number of variable bits; and 1.2—combining said variable bit pattern with a fixed bit pattern.
 13. The method as set forth in claim 12, wherein the variable bit pattern comprises 16 bits.
 14. The method as set forth in claim 12, wherein the fixed bit pattern comprises 12 bits.
 15. An apparatus for secure transmission of radio communications over a digital trunked radio system comprising: at least one base site unit capable of transmitting and receiving radio communications, wherein said at least one base site unit is equipped with a digital security key for scrambling radio communications over said control channel; and a plurality of radio units capable of transmitting and receiving radio communications, wherein said radio units are equipped with a digital security key for unscrambling radio communications over said control channel; wherein said base site unit and said plurality of radio units communicate with each other using a digital control channel and a plurality of working channels, wherein said working channels are assigned for temporary use of said individual radio units by digital control signals transmitted over said control channel.
 16. An apparatus as set forth in claim 15, wherein said plurality of radio units are equipped with a digital security key for scrambling radio communications over said control channel, and wherein said at least one base unit is equipped with a digital security key for unscrambling radio communications over said control channel.
 17. An apparatus as set forth in claim 15, wherein said digital security key comprises a digital word 28 bits in length.
 18. An apparatus as set forth in claim 19, wherein said 28 bits comprises 16 variable bits and 12 fixed bits.
 19. An apparatus as set forth in claim 15, further comprising software for performing an encryption algorithm, wherein said software is used by said radio units and said base site unit to encrypt said security key.
 20. An apparatus as set forth in claim 21, wherein said software changes said security key using said encryption algorithm at predetermined intervals.
 21. An apparatus as set forth in claim 15, wherein the digital tuned radio system is an EDACS system.
 22. A radio for use on a digital trunked radio system, wherein said system comprises a digital control channel and a plurality of working channels, wherein said working channels are assigned for temporary use of said radio by digital control signals transmitted over said control channel, said radio equipped with a digital security key for scrambling and unscrambling radio communications over said control channel.
 23. A radio as set forth in claim 22, wherein said system for which said radio is for use is an EDACS system.
 24. A method for providing secure access of a user to system data stored on a terminal within a digital trunked radio system, said method comprising the steps of: 1—storing a first digital key on said terminal; 2—requiring a user to present a second digital key upon a request for access to said system data; and 3—comparing said first key and said second key, wherein access is permitted if said first key and said second key match.
 25. The method as set forth in claim 24, wherein said second key presented in step 2 is contained on a smart card.
 26. The method as set forth in claim 24, wherein said terminal is an individual radio unit.
 27. The method as set forth in claim 24, wherein said terminal is a site management terminal.
 28. The method as set forth in claim 24, wherein step 3 further comprises the steps of: 3.1—allowing a third digital key to be read from said smart card and stored on said terminal, wherein said third key replaces said first key; 3.2—permitting access to system data after replacing said first key with said third key.
 29. An apparatus for limiting access of a user to system data stored on a terminal within a digital trunked radio system, said system comprising: a smart card, said smart card containing a first digital key; a terminal, said terminal containing: a second digital key, a circuit for reading said first digital key from said smart card, and a circuit for comparing said first digital key with said second digital key, wherein access to said system data stored on said terminal is allowed only if said first key and said second keys match.
 30. An apparatus as set forth in claim 29, wherein said terminal is a radio unit.
 31. An apparatus as set forth in claim 29, wherein said terminal is a site station. 